The complete guide to WordPress security

# The complete guide to WordPress security WordPress doesn't secure itself. That's your job. And that job is more important than ever. In 2024, 7,966 vulnerabilities were discovered in WordPress websites. Not because WordPress core is insecure, but because 90% of all security issues occur in third-party plugins and themes. Your WordPress site is a target simply because it's WordPress. Hackers scan the internet with automated tools, looking for sites with known vulnerabilities. They don't need to know you personally to compromise your site. A hacked website means downtime, lost revenue, reputation damage, and in the worst case, a Google blacklist that can last for months. The average cost of a hack ranges between €500 and €5,000, depending on the damage and how quickly you discover it. But here's the good news: with the right security layers, you can stop 99% of all attacks before they cause damage. WordPress security isn't a one-time action, but a set of habits and layers that reinforce each other. In this guide, you'll learn step by step how to harden your WordPress site against attacks, from basics to advanced techniques. We'll start with the foundation: backups. Because even with all security measures in place, something can always go wrong. And then you want to be back online within an hour, not within a week. ## The security mindset: defense in depth WordPress security isn't a checklist you tick off once. It's a set of layers that reinforce each other. If one layer fails, the next layer catches it. This concept is called defense in depth, and it's the core of any solid security strategy. Think of your WordPress site as a house. You don't just lock the front door, you also install an alarm, surveillance cameras, motion sensors, and maybe even a dog. Each layer makes it harder for a burglar to get inside. Hackers work the same way: they try the easiest way in. If it doesn't exist, most give up and move on to another target. Here are the main security layers we'll build in this guide: **Layer 1: Backups** - Your last resort when everything goes wrong. A good backup means you're back online within an hour after a hack. Without a backup, you're spending months on recovery, if it works at all. **Layer 2: Updates** - The first line of defense. The vast majority of hacks exploit known vulnerabilities for which an update has been available for months. By keeping up with updates, you close 70% of all attack vectors. **Layer 3: Access control** - Limit who can get in. Two-factor authentication, strong passwords, and login limiting make brute force attacks practically impossible. **Layer 4: Hardening** - Strengthen your WordPress configuration. Hide version numbers, protect your wp-config.php, disable unnecessary functions. Make it as difficult as possible for hackers. **Layer 5: Firewall** - Filter malicious traffic before it reaches your server. A good Web Application Firewall (WAF) automatically blocks known attack patterns. **Layer 6: Monitoring** - Detect suspicious activity before it escalates. Malware scans, activity logs, and file integrity monitoring give you early warning signals. No single layer is 100% waterproof. But together they form a system that stops the vast majority of attacks. Let's start with the most important layer: backups. ## Backups: your last resort Backups aren't sexy. They cost time and money and you hope to never need them. Until the moment you do need them, and then they're priceless. A backup is your ultimate failsafe. Server down? Restore the backup. Site hacked? Restore the backup. Database corrupt? Restore the backup. A good backup strategy means no disaster is permanent. You're back online within an hour, not within a week. The **3-2-1 backup rule** is the gold standard: - **3 copies** of your data (original + 2 backups) - **2 different media** (e.g., server + cloud storage) - **1 copy offsite** (not on the same server as your website) For WordPress, this means concretely: **What should you backup?** - All WordPress files (wp-content/themes, plugins, uploads) - The complete database (posts, pages, settings, users) - .htaccess and wp-config.php files **How often should you backup?** - **Daily** if you add or modify content - **Before every update** of WordPress, themes, or plugins - **Weekly** for static websites without many changes - **Real-time** for webshops or membership sites (transactional data) **Where do you store backups?** - At least one copy on external cloud storage (Google Drive, Dropbox, Amazon S3) - Never only locally on the same server as your website - Test your backups regularly by doing a restore on a staging environment ### Backup plugins: the practical choice Manual backups via FTP and phpMyAdmin are possible but error-prone. Backup plugins automate the process and reduce the chance of human error. **UpdraftPlus** (free + premium from €70/year) - Most popular backup plugin (3+ million active installations) - Automatic backups to Google Drive, Dropbox, Amazon S3 - Restore directly from WordPress admin - Free version is fine for 90% of websites - Premium adds incremental backups and support **BackupBuddy** (€80-€199/year) - Complete backup + migration tool in one - BackupBuddy Stash cloud storage included - Real-time database backups (premium) - Malware scanning and repair functions - Slightly more expensive but very complete **BlogVault** (€99-€249/year) - Offsite backups (not on your own server) - Daily automatic backups with 90 days retention - Staging environment for testing included - 1-click restore with zero downtime - Ideal for agencies with multiple sites **Jetpack Backup** (€4,95-€41,65/month) - Real-time backups with every change - Automatic restore in 1 click - Integrated with other Jetpack security features - More expensive but extremely user-friendly My recommendation for 90% of websites: start with **UpdraftPlus free** and upgrade to premium if you need incremental backups or priority support. Set up daily backups to Google Drive or Dropbox, and test at least once a month if your backup actually works by doing a restore. **Pro tip:** Some hosting providers like TransIP, Antagonist, and Vimexx offer automatic daily backups as part of your hosting package. Check if your host offers this before buying a paid backup plugin. But never rely solely on backups from your host, always ensure a second external backup. ## Updates: your first line of defense Here's the uncomfortable truth: **70% of all hacked WordPress sites had a security update available at the time of the hack**. Most hacks aren't sophisticated. They're bots exploiting known vulnerabilities in outdated plugins and themes. Updates are your first and most important line of defense. But updating without a strategy can also go wrong, meaning downtime and broken functionality. Here's how to do it right. ### What should you update? **WordPress Core** - Major releases (6.4 → 6.5) bring new features but also breaking changes. Minor releases (6.4.1 → 6.4.2) are security patches that you should install immediately. WordPress pushes security updates automatically, but check manually regularly. **Plugins** - 90% of all vulnerabilities are in plugins. Remove plugins you don't use. Update active plugins within a week of release. Plugins without updates in 12+ months are abandoned and pose a security risk. **Themes** - Themes can also contain vulnerabilities. Update your active theme as soon as an update is available. Remove unused themes completely. **PHP version** - Outdated PHP versions no longer receive security patches. Run at least PHP 8.0, preferably 8.1 or higher. Check your current version via Site Health in WordPress. ### Update strategy **For small websites:** 1. Make a backup first 2. Update WordPress Core 3. Update plugins one by one 4. Test after each update if your site still works 5. If problems occur: restore backup and troubleshoot **For critical websites:** 1. Create a staging environment 2. Test all updates first on staging 3. If everything works: push to production 4. Keep a backup ready for rollback ### Auto-updates: yes or no? WordPress has automatic updates for core security releases. My advice: **Yes to auto-updates for:** - WordPress Core security patches (on by default, leave it that way) - Plugins from reputable developers (Yoast, WooCommerce) - Small security patches **No to auto-updates for:** - Major WordPress releases (test first) - Page builders (Elementor, Divi) that can have breaking changes - Plugins that directly affect payment functionality You can enable/disable auto-updates per plugin in WordPress 5.5+ admin. Use this wisely. **Pro tip:** Use a monitoring tool like ManageWP or MainWP to centrally manage and test updates on multiple sites. This saves an enormous amount of time if you manage 5+ sites. ## Login security: locking the front door The login page is the easiest way in for hackers. And the standard wp-login.php URL literally advertises where that way is. Login security is layer 3 of your defense in depth strategy and has the highest ROI of all security measures. Here are the most important tactics to secure your login, from must-have to nice-to-have. ### Two-Factor Authentication (2FA) This is the single biggest win for login security. With 2FA you need two things to log in: your password (something you know) and a temporary code from your phone (something you have). Even if a hacker has your password, they can't get in without that second factor. **Wordfence Login Security** (free) - 2FA via authenticator app (Google Authenticator, Authy) - TOTP standard (Time-based One-Time Password) - XML-RPC protection included - Login attempt limiting **Two-Factor** plugin (free) - Lightweight and open source - Support for email codes and authenticator apps - Backup codes for if you lose your phone **iThemes Security Pro** (€80/year) - 2FA is part of broader security suite - Multiple 2FA methods (app, email, backup codes) - Passwordless login for extra convenience My recommendation: install **Wordfence Login Security** (free) and force 2FA for all admin and editor accounts. It takes 5 minutes to set up and stops 99% of brute force attacks. ### Login attempt limiting Brute force attacks try thousands of password combinations in a short time. Login limiting sets a limit on the number of failed login attempts before an IP address is temporarily blocked. **Limit Login Attempts Reloaded** (free) - Block IP after X failed attempts - Adjustable block duration (20 min to 24 hours) - Email notifications for repeated attempts - Whitelist for your own IP **Wordfence** (free + premium) - More aggressive blocking with threat intelligence database - Detects known attacker IPs before they try to log in - Real-time IP blocking Set: **4 attempts, then 20 minutes block**. For repeated attempts: 24 hours block. This completely stops automated brute force. ### Username security The default admin username advertises that you're admin. Hackers then only need to crack your password, not your username. **Change your admin username:** 1. Create a new admin user with a unique username (not admin, administrator, or your domain name) 2. Log in with new account 3. Delete old admin account 4. Assign all content to new account **Hide author archives:** Add this to your functions.php to prevent your username from being visible via author URLs: ```php // Disable author archives add_action('template_redirect', function() { if (is_author()) { wp_redirect(home_url()); exit; } }); ``` ### Password best practices Weak passwords are the #1 cause of successful brute force attacks. WordPress has forced strong passwords for new admin accounts since version 5.6, but existing accounts don't have this requirement. **Strong passwords:** - At least 16 characters - Mix of uppercase, lowercase, numbers, and symbols - Use a password manager (1Password, Bitwarden, LastPass) - Unique per site (never reuse) - Change passwords after a (potential) breach **Force strong passwords for all users:** Use the plugin Force Strong Passwords to block weak passwords for editors, authors, and subscribers. ### Change login URL The default wp-login.php URL is a big sign saying "hack here". By changing your login URL, you stop automated bots that specifically target wp-login.php. **WPS Hide Login** (free) - Change wp-login.php to custom URL (e.g., /my-login) - Redirect default login to 404 - Lightweight (no bloat) **Wordfence** (premium) - Login URL change is part of broader security suite - Extra features like CAPTCHA on login Choose an obscure login slug that's not easy to guess: not /login or /admin but something unique. And save your new URL in your password manager, because if you forget it you need to regain access via FTP or phpMyAdmin. ### CAPTCHA: the bot stopper CAPTCHA distinguishes people from bots and completely blocks automated login attempts. **Google reCAPTCHA** via plugins: - Advanced noCaptcha & invisible Captcha (free) - Invisible to legitimate users, blocks bots - Works on login, registration, and password reset Combine CAPTCHA with login limiting for double protection: bots are stopped by CAPTCHA, persistent manual attacks by rate limiting. ## Hardening basics: strengthen your defense WordPress is reasonably secure out-of-the-box, but there are dozens of settings you can tighten to make attacks more difficult. This is called hardening: removing unnecessary functionality and strengthening your configuration. Hardening is layer 4 of defense in depth and the difference between an easy and a difficult target. ### Secure wp-config.php Your wp-config.php contains your database credentials and security keys. If a hacker gets access to this file, game over. Here's how to protect it. **Move wp-config.php outside the webroot:** WordPress automatically looks one directory up if wp-config.php isn't in the root. This makes the file inaccessible via the browser. ```bash # If your webroot is /public_html: mv /public_html/wp-config.php /home/username/wp-config.php ``` **Hide wp-config.php via .htaccess:** Add this to your .htaccess file to block direct access: ```apache order allow,deny deny from all ``` **Disable file editing via admin:** WordPress allows admins to edit theme and plugin files via the admin by default. This is a security risk. Disable it in wp-config.php: ```php define('DISALLOW_FILE_EDIT', true); ``` **Change database prefix:** The default wp_ prefix makes SQL injection attacks easier. Change it to something unique during installation, or afterwards via plugins like Brozzme DB Prefix. **Regenerate security keys:** WordPress uses security keys for cookies and sessions. Change them annually via the WordPress salt generator and paste the new keys in wp-config.php. ### File permissions Wrong file permissions give hackers write access to your files. Linux file permissions work with three digits (owner/group/others) and three permissions (read/write/execute). **Correct WordPress permissions:** - **Directories: 755** (owner can do everything, others can read/execute) - **Files: 644** (owner can read/write, others can only read) - **wp-config.php: 600** (only owner can read/write) **Restore permissions via SSH:** ```bash # Navigate to your WordPress root cd /path/to/wordpress # Set directory permissions find . -type d -exec chmod 755 {} \; # Set file permissions find . -type f -exec chmod 644 {} \; # Extra security for wp-config.php chmod 600 wp-config.php ``` Most hacks from file permission issues can be prevented with these standard settings. ### Disable directory indexing If directory indexing is on, anyone can view the contents of your directories by going to /wp-content/uploads/. This is an information leak and security risk. **Disable via .htaccess:** ```apache Options -Indexes ``` Test by going to /wp-content/plugins/. You should see a 403 Forbidden error, not a list of plugins. ### Disable XML-RPC XML-RPC is a WordPress API that allows remote access. It's used by some mobile apps and plugins, but it's also a popular attack vector for brute force and DDoS attacks. **Check if XML-RPC is active:** Go to `yoursite.com/xmlrpc.php`. If you see "XML-RPC server accepts POST requests only", it's active. **Disable via .htaccess:** ```apache order deny,allow deny from all ``` **Or via plugin:** Disable XML-RPC does the same with one click. Note: if you use Jetpack or the WordPress mobile app, you need XML-RPC. Test after disabling if everything still works. ### Database security Your database credentials are the keys to your kingdom. If a hacker has these, they can read, modify, and delete everything. **Use a strong database password:** - At least 20 characters - Randomly generated (use tools like passwordsgenerator.net) - Unique for each database **Limit database user privileges:** Your WordPress database user doesn't need DROP DATABASE or CREATE USER rights. Only give: - SELECT, INSERT, UPDATE, DELETE (data manipulation) - CREATE, ALTER, INDEX (table management) **Prefix database tables:** Don't use the default wp_ prefix, but something like wpx47_. This makes SQL injection attacks more difficult. **Regular database backups:** See the backup section above. Your database is the most critical data of your site. ### Security headers HTTP security headers instruct browsers how to interact with your site and protect against XSS, clickjacking, and other attacks. **Add these headers via .htaccess:** ```apache # XSS Protection Header set X-XSS-Protection "1; mode=block" # Prevent clickjacking Header always set X-Frame-Options "SAMEORIGIN" # Prevent MIME type sniffing Header set X-Content-Type-Options "nosniff" # Referrer Policy Header set Referrer-Policy "strict-origin-when-cross-origin" # Content Security Policy (test thoroughly before activating) # Header set Content-Security-Policy "default-src 'self';" ``` Test your security headers on securityheaders.com. An A or A+ score is the goal. **Plugin option:** HTTP Headers lets you configure headers via WordPress admin without editing .htaccess. ## SSL/HTTPS: encrypt everything HTTPS encrypts all communication between your visitors and your server. Without HTTPS, hackers can intercept data (man-in-the-middle attacks), steal login credentials, and hijack cookies. Since 2014, Google gives a ranking boost to HTTPS sites. Since 2018, Chrome marks HTTP sites as "Not Secure". And since 2023, HTTPS has practically become the standard. If your site still uses HTTP, you're too late. ### Let's Encrypt: free SSL Let's Encrypt is a free Certificate Authority that issues 90-day SSL certificates. Almost all hosting providers support Let's Encrypt and automatic renewal. **Via cPanel/Plesk:** 1. Log in to your hosting control panel 2. Look for "SSL/TLS" or "Let's Encrypt" 3. Click "Install" for your domain 4. Certificate is automatically requested and installed **Via Managed WordPress host:** Providers like TransIP WordPress hosting, Antagonist, and Vimexx often activate SSL automatically. Check your hosting dashboard. ### Force HTTPS: redirect HTTP to HTTPS Your SSL certificate is installed, but visitors can still come via HTTP. Force all traffic to HTTPS: **Via .htaccess redirect:** ```apache RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] ``` **Via Really Simple SSL plugin:** Really Simple SSL detects your SSL certificate and forces HTTPS with one click. It also automatically solves mixed content warnings. ### Solve mixed content Mixed content means your HTTPS site loads resources via HTTP (images, CSS, JavaScript). Browsers block this, causing broken layouts and functionality. **Check your site for mixed content:** Open your site in Chrome, press F12, go to Console. Look for "Mixed Content" warnings. **Fix mixed content:** 1. **Really Simple SSL plugin** solves 90% automatically 2. **Manually:** Search your database for http:// URLs and replace with https:// 3. **Via wp-config.php:** Force WordPress to use HTTPS: ```php define('FORCE_SSL_ADMIN', true); if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') $_SERVER['HTTPS']='on'; ``` Test thoroughly after forcing HTTPS. Check all pages, especially checkout and login flows. ## Firewall (WAF): filter malicious traffic A Web Application Firewall (WAF) sits between your visitors and your server and filters malicious traffic before it reaches your WordPress site. It blocks known attack patterns (SQL injection, XSS, brute force) and suspicious IP addresses. There are two types of WAFs: cloud-based (traffic goes through external service) and plugin-based (runs on your server). Both have pros and cons. ### Cloud-based WAF: Cloudflare Cloudflare is the most popular cloud-based WAF. It works as a proxy: all your traffic goes through Cloudflare servers, where it's filtered before reaching your site. **Advantages:** - Blocks attacks before they burden your server - Built-in DDoS protection - CDN (faster loading times) included - Free plan is fine for small to medium sites **Disadvantages:** - All your traffic goes through Cloudflare (privacy consideration) - Rate limiting can block legitimate users - Setup requires DNS change **Cloudflare setup:** 1. Create an account on cloudflare.com 2. Add your domain 3. Change your nameservers to Cloudflare (at your domain registrar) 4. Activate "Security Level: Medium" (or High for extra protection) 5. Enable "Browser Integrity Check" and "Challenge Passage" **Pro tip:** Use Cloudflare "Under Attack" mode during active attacks. This shows all visitors a 5-second challenge before they can reach your site, effectively stopping bots. ### Plugin-based WAF: Wordfence Wordfence is the most popular WordPress security plugin with 4+ million active installations. It includes a firewall that runs on your server and blocks malicious traffic. **Wordfence Free features:** - Web Application Firewall (30 days delayed updates) - Brute force protection - Malware scanner (basic) - Security event logging - Two-factor authentication **Wordfence Premium (€99/year):** - Real-time firewall rule updates - Real-time malware signatures - Country blocking - Scheduled scans - Premium support **Wordfence setup:** 1. Install Wordfence via Plugins > Add New 2. Click "Manage Firewall" in Wordfence menu 3. Enable "Extended Protection" (optimized firewall) 4. Configure brute force settings (4 attempts, 20 min lockout) 5. Enable email alerts for critical issues **Pro tip:** Wordfence consumes server resources. If your site becomes slow, consider Cloudflare (cloud-based) instead of Wordfence, or upgrade to better hosting. ### Alternative WAF plugins **Sucuri Security** (free + premium from €199/year) - Cloud-based WAF with premium plan - Post-hack security action support - Malware removal service included - Website integrity monitoring **All In One WP Security** (free) - Lightweight alternative to Wordfence - Basic firewall rules - Login security and file protection - Good for beginners (less overwhelming than Wordfence) **iThemes Security Pro** (€80/year) - Integrated security suite (no standalone WAF) - Password expiration - Two-factor authentication - Scheduled malware scans My recommendation: start with **Cloudflare free + Wordfence free**. This gives you two layers (cloud + server) at no cost. Upgrade to premium if you're actively being attacked or need professional support. ### IP blocking: the ban hammer Some attacks come from specific IP ranges (e.g., known proxy services used by hackers). IP blocking stops these attacks directly. **Via Wordfence:** Wordfence → Firewall → Manage Rate Limiting & Blocking → Block IPs **Via .htaccess:** ```apache order allow,deny deny from 123.456.789.0 allow from all ``` **Country blocking:** If you only have Dutch visitors, you can block all traffic outside the Netherlands. This stops 80% of brute force attacks (which often come from Asian or Eastern European IP ranges). Wordfence Premium and Cloudflare offer country blocking. Note: be careful with aggressive blocking. You can accidentally block legitimate users (false positives). Monitor your logs and whitelist your own IP. ## Malware scanning & monitoring Prevention is 90% of security, but detection is the other 10%. Even with all security layers, malware can reach your site (e.g., via a compromised plugin you just installed). That's why you need monitoring. Malware scanning detects suspicious files, modified core files, and backdoors before they cause damage. Activity logging shows who does what on your site, so you can spot suspicious actions. ### Security plugin comparison | Plugin | Free version | Premium price | Malware scan | Real-time | WAF | 2FA | Best for | |--------|--------------|---------------|--------------|-----------|-----|-----|----------| | **Wordfence** | Yes (limited) | €99/year | Yes | Premium only | Yes | Yes | Medium sites | | **Sucuri** | Yes (basic) | €199/year | Yes | Yes | Premium only | No | High-risk sites | | **iThemes Security** | Yes | €80/year | Premium only | No | Basic | Yes | Beginners | | **All In One WP Security** | Yes | N/A | Basic file check | No | Basic | No | Budget/small sites | **Wordfence** is the most complete free option. The scanner runs every 24 hours and checks: - Core file integrity (changes to WordPress core) - Known malware signatures - Backdoors and suspicious code - Blacklist status (Google Safe Browsing) **Sucuri** has the best reputation for post-hack cleanup. If your site is hacked, their team helps with malware removal and recovery. Premium is expensive (€199/year) but can pay for itself with one incident. **iThemes Security** is the most user-friendly. Less technical than Wordfence, better UX, good choice for beginners. **All In One WP Security** is ultra lightweight and free. Fewer features but also less server load. Good for shared hosting or if you already use Cloudflare for WAF. ### Scan frequency **Daily:** If you have a webshop or membership site with sensitive data. Wordfence free scans automatically every 24 hours. **Weekly:** For content websites and blogs without transactions. Schedule scans during quiet times (at night) to minimize server load. **After updates:** Always scan after installing new plugins or themes. Some plugins get compromised on the WordPress repository itself. **After incident:** If you see suspicious activity (unexpected logins, new admin users, changes you didn't make), scan immediately. ### Activity logging Activity logs show who did what when on your site. This is essential for troubleshooting and security. **WP Activity Log** (free + premium) - Logs all changes (posts, plugins, users, settings) - Search and filter functionality - Email alerts for critical actions - Premium adds SMS alerts and log archiving **What to watch for in logs:** - New admin users you didn't create - Failed login attempts from unknown usernames - File modifications outside update times - Plugin/theme installations you didn't do - Database queries from suspicious plugins Wordfence includes basic activity logging. WP Activity Log is more detailed and better searchable. **Pro tip:** Turn on email alerts for critical actions (new admin users, plugin installations, wp-config.php changes). You want to know within minutes if something suspicious happens, not days later. ### File integrity monitoring File integrity monitoring (FIM) detects changes to core files and compares them with original WordPress versions. **Wordfence scanner** automatically checks: - WordPress core files (must exactly match original) - Plugin files (changes could be malware) - Theme files If the scanner detects changes, you get a list of modified files. You can then: 1. **Restore to original** (if it's core files) 2. **Manually inspect** (if it's plugin/theme files) 3. **Delete** (if it's clearly malware) False positives occur (especially with plugins that self-update). That's why it's important to check logs and not blindly restore everything. ## User management: who has access? 80% of all WordPress hacks happen via compromised user accounts. Not via advanced zero-days, but via stolen passwords and accounts with too many rights. User management is therefore a critical security layer: limit who has access, only give the rights that are needed, and regularly audit who is active. ### WordPress user roles WordPress has 6 default user roles with increasing rights: **Subscriber** - Can only manage own profile. Use for newsletters and members-only content. **Contributor** - Can write posts but not publish. Good for guest writers who need editorial control. **Author** - Can write and publish own posts. Can't change settings or install plugins. **Editor** - Can manage all posts (also from others) and moderate. No access to settings, plugins, or themes. **Administrator** - Full control. Can do everything, including delete other users and install plugins. **Super Admin** - Only in multisite networks. Manages all sites in network. ### Principle of Least Privilege Give each user **only the rights they need**. No more. This is called Principle of Least Privilege and it limits damage if an account is hacked. **Examples:** - Content writer? → Author role (not Editor) - Editor? → Editor role (not Administrator) - Developer for short job? → Admin with 2FA, remove after job - Yourself? → Admin, but use an Author account for daily work **Red flags:** - Sites with 5+ admin accounts (why?) - Admin accounts for freelancers who stopped 6 months ago - Shared admin account (admin@companyname.com) with weak password ### Limit admin accounts The fewer admin accounts, the smaller the attack surface. Ideal: **1 personal admin per person who really needs it**. **Audit your users:** 1. Go to Users in WordPress admin 2. Filter on Administrator role 3. Ask per admin account: is this needed? 4. Downgrade to Editor or remove account **Temporary admin access:** If a developer or designer temporarily needs admin rights: 1. Create an admin account with strong random credentials 2. Force 2FA on this account 3. Remove the account as soon as the job is done 4. Scan your site after removal (check if no backdoors were placed) **Pro tip:** Use the plugin User Role Editor to create custom roles with exactly the rights you need. For example, an "SEO Manager" role that can edit posts and use Yoast, but can't install plugins. ### Password policies Weak passwords are the #1 cause of compromised accounts. WordPress has forced strong passwords for admins since 5.6, but not for other roles. **Force strong passwords for all roles:** Plugin: Force Strong Passwords **Password expiration:** Some security experts recommend password rotation (change passwords every 90 days). Others say this encourages users to use weaker, easier to remember passwords. My advice: only use password rotation for shared accounts. For personal accounts with 2FA it's not needed. **Inactive account cleanup:** Remove accounts that are inactive for 6+ months. They forget their password anyway, and old accounts are security risks. ## Hosting security: the foundation Security starts with your hosting. Even with all plugins and hardening measures, you can't secure a compromised server. Your host is the foundation on which all other layers rest. Not all hosting is equal. Budget shared hosting with 500 sites on one server is inherently less secure than managed WordPress hosting with isolation and proactive security monitoring. ### Managed WordPress hosting advantages Managed WordPress hosts specialize in WordPress and take much security work off your hands: **Automatic updates** - Core updates and often plugin updates are automatically installed (after testing on staging). **Proactive malware scanning** - Server-level scans detect malware before it reaches your site. **DDoS protection** - Built-in protection against volumetric attacks. **Staging environments** - Test updates safely before they go live. **Daily backups** - Automatic and stored offsite. **Dedicated resources** - No shared server with 500 other sites that can be hacked. **Known managed WordPress hosts:** - TransIP Managed WordPress - €8,99-€29,99/month, Dutch, includes SSL and backups - Antagonist Managed WordPress - €15-€50/month, focus on performance and security - Kinsta - $35-$400/month, premium tier, Google Cloud infrastructure - WP Engine - $30-$290/month, enterprise features, staging included Managed hosting costs more than shared hosting (€10-30/month vs €3-5/month), but saves hours of security work and has better uptime. For business sites it's worth the investment. ### Dutch hosting providers with security focus If you prefer to stay with a Dutch host (data in the Netherlands, Dutch support): **TransIP** - Free SSL, automatic backups, DDoS protection standard. Managed WordPress package adds staging and premium support. **Antagonist** - Security-first host, proactive monitoring, managed updates. More expensive but extremely reliable. **Vimexx** - Solid basic security (SSL, backups), affordable (€4-12/month). Fewer managed features but good for tech-savvy users. **Hostnet** - Enterprise hosting, dedicated servers, managed services. For large webshops and corporate sites. **Byte** - Budget shared hosting with good basic security. €3-8/month, good for starters and hobby sites. ### Hosting security checklist If you stay with your current host, check if they offer these security basics: **Must-haves:** - Free SSL certificates (Let's Encrypt) - Automatic backups (daily, at least 7 days retention) - PHP 8.0+ support - SSH access for developers - Firewall (server-level) **Nice-to-haves:** - Malware scanning - DDoS protection - Staging environments - Git integration - Web Application Firewall (WAF) **Red flags:** - PHP 7.4 or lower (end-of-life, no security patches) - No SSL support - No backups or only manual backups - Support that doesn't respond for days - Regular downtime If your host has 3+ red flags, seriously consider migrating. Hosting is too important to skimp on. **Pro tip:** Test your host security on Mozilla Observatory and ImmuniWeb. These tools scan your server configuration and give concrete recommendations. ## Incident response plan: when things go wrong You can stop 99% of attacks, but that last 1% can still get through. Maybe via a zero-day vulnerability, maybe via social engineering, maybe via a compromised developer. Shit happens. The question isn't if you'll ever get hacked, but what you do when it happens. An incident response plan means the difference between 2 hours downtime and 2 weeks of misery. ### If you're hacked: action plan **Step 1: Stay calm and document** Panic makes mistakes. Take a breath. Screenshot everything: suspicious admin users, modified files, error messages. This helps later with analysis. **Step 2: Put your site in maintenance mode** Prevent further damage and protect your visitors. Via plugin (WP Maintenance Mode) or manually via wp-config.php: ```php define('WP_MAINTENANCE_MODE', true); ``` **Step 3: Change all passwords** All accounts (WordPress admin, FTP, database, hosting control panel). Do this from a clean computer, not from the possibly compromised server. **Step 4: Backup the hacked state** Sounds counter-intuitive, but you might need forensic data. Backup your current (hacked) site to an external location before you start cleaning. **Step 5: Scan and identify malware** Run a full Wordfence or Sucuri scan. Look for: - Unknown files in /wp-content/uploads/ - Changes to core files - Suspicious code in theme functions.php - New admin users - Backdoor plugins **Step 6: Clean or restore** Two options: **Option A: Clean (if you know exactly where the malware is)** - Remove suspicious files - Restore modified core files - Update all plugins and themes - Remove unknown admin users **Option B: Restore from backup (safer)** - Restore to backup from before the hack - You will lose content created after backup date - Update everything before going online **Step 7: Harden and update** Before going online again: - Update WordPress, plugins, themes to latest versions - Remove unnecessary plugins - Implement 2FA - Change database prefix - Scan again **Step 8: Monitor intensively** Check daily after the hack: - Activity logs for suspicious actions - New files in wp-content - Failed login attempts - Server resource usage (cryptominers use a lot of CPU) ### Professional recovery services Some hacks are too complex to solve yourself. Backdoors can be deeply hidden, and if you miss one, you'll be hacked again within a week. **Sucuri Incident Response** (€299-899) - Malware removal by security experts - Backdoor detection and removal - Blacklist removal (Google, Norton, McAfee) - Post-hack security hardening **Wordfence Care** (from €490) - Priority support via ticket and chat - Hands-on malware removal - Fix for hacked sites within 24 hours **Local security experts** In the Netherlands there are various WordPress security specialists who do incident response. Google "WordPress hack help Netherlands" and check reviews. **When to call professional help:** - You find no malware but site continues suspicious behavior - Google has blacklisted your site - You're hacked again after cleaning yourself - You have no recent backup - Your site is critical for your business and you can't risk downtime ### Google blacklist removal If Google detects your site as malware or phishing, you get a big red warning in search results. This is catastrophic for traffic. **Check if you're blacklisted:** - Google Transparency Report - Search Console → Security Issues **Blacklist removal process:** 1. Clean all malware completely (Google rescans automatically) 2. Request review in Google Search Console 3. Explain what you fixed and what steps you took 4. Wait 3-7 days for review **Pro tip:** Google blacklist removal can take 2-4 weeks, even after cleaning. This is why prevention is so important. Once on the blacklist costs you thousands of euros in lost revenue. ## Security checklist: make it a habit WordPress security isn't a one-time job but a set of habits. This checklist helps you make security part of your routine. ### Daily (5 minutes) **Check activity logs** - Scan for suspicious login attempts or unknown changes. WP Activity Log or Wordfence activity log. **Monitor uptime** - Use an uptime monitor (UptimeRobot, Pingdom) to detect downtime immediately. Unexpected downtime could be an attack. ### Weekly (15 minutes) **Check for updates** - WordPress core, plugins, themes. Update within 7 days of release (after backup). **Review failed logins** - Check if there are brute force attempts. Wordfence → Tools → Live Traffic. **Backup verification** - Check if your last automatic backup was successful. ### Monthly (30 minutes) **Run full malware scan** - Wordfence or Sucuri full scan. Check all flagged files. **Audit users** - Check if all admin accounts are still needed. Remove inactive users. **Review installed plugins** - Are there plugins you no longer use? Deactivate and remove. Every unnecessary plugin is a potential vulnerability. **Test your backup restore** - Download a backup and restore on a staging environment. Test if everything works. ### Quarterly (1 hour) **Regenerate security keys** - Change your WordPress salts and keys in wp-config.php via the WordPress generator. **Security audit** - Run your site through WPScan or Sucuri SiteCheck for external vulnerability scan. **Review Google Search Console** - Check for security issues, manual actions, or malware warnings. **Update PHP version** - Check if your host supports newer PHP versions and test if your site is compatible. ### Annually (2-3 hours) **Complete security review** - Go through this entire guide again and check which steps you skipped. **Password rotation** - Change all important passwords (hosting, database, main admin account). **Theme/plugin audit** - Are there plugins that haven't had an update in 12+ months? Look for alternatives. **Hosting review** - Is your current host still competitive in terms of security, performance, and price? Check our hosting comparison. **Disaster recovery test** - Simulate a complete site crash and test if you can restore from zero with only your backups. ### Automation tips **Email alerts** - Turn on notifications for critical events (new admin users, failed logins, malware detection). **Scheduled scans** - Wordfence and Sucuri can automatically scan during quiet times (3-5 AM). **Update monitoring** - Tools like ManageWP or MainWP give central dashboards for update status on multiple sites. **Uptime monitoring** - UptimeRobot (free) checks every 5 minutes if your site is online and alerts you via email/SMS. The more you automate, the less you can forget. The goal is to make security invisible and automatic, so it's not a daily distraction. ## Frequently asked questions **Are free security plugins enough or do I need to pay?** For 90% of websites, free plugins (Wordfence Free, All In One WP Security) are sufficient combined with Cloudflare free. Upgrade to premium if you're actively being attacked, need real-time updates, or want professional support. For webshops and membership sites with sensitive data, premium is worth the investment. **How do I know if my site is hacked?** Red flags: unexpected redirects, new admin users you didn't create, Google blacklist warning, spam emails from your domain, suspicious files in wp-content/uploads/, extreme server load without traffic increase. Run a Wordfence or Sucuri scan if you suspect something. **What's more important: firewall or malware scanner?** Firewall is prevention (stops attacks before they're inside), scanner is detection (finds malware that's already inside). You need both. Priority: first firewall (Cloudflare + Wordfence), then scanner. But ideally both layers are active. **Should I disable XML-RPC?** Yes, unless you use Jetpack or the WordPress mobile app. XML-RPC is a popular brute force vector and most sites don't need it. Test after disabling if your plugins still work. **Can I be hacked via my theme?** Yes, especially nulled themes (illegal premium themes) often contain backdoors. Only use themes from reputable developers (ThemeForest, Elegant Themes, StudioPress) or the WordPress repository. Update your theme regularly. **Is WordPress more or less secure than other CMS?** WordPress itself is relatively secure. The problem is the ecosystem: with 60,000+ plugins, quality control is difficult. Joomla and Drupal have similar issues. Proprietary CMS are often more secure but less flexible. With good security practices, WordPress is secure enough for banking and government. **How much does good WordPress security cost?** Basic security (free plugins + Cloudflare + Let's Encrypt) costs €0/month but requires technical knowledge. Midrange (premium plugins + managed hosting) costs €15-40/month. Enterprise (dedicated security team + managed services) from €200/month. For most sites, €20-30/month is sufficient. **What should I do after a successful hack?** See the Incident Response section above. Short: maintenance mode, change all passwords, scan and clean malware, restore from backup if needed, harden and update everything, monitor intensively. Consider professional help if you can't do it yourself.